On 30.11.2018 18:43, Lev Serebryakov wrote: > Hello Olivier, > > Friday, November 30, 2018, 3:34:50 PM, you wrote: > >>> I'm benchmarking different possible "native" VPN configurations and I have >>> gif(4) and gre(4) with and without IPsec in my battery. I have tunnel mode >>> IPsec too. Problem with gif(4) and gre(4) that hey are tremendously >>> expensive, and could be more expensive than IPsec itself on CPUs with >>> AES-NI. >>> So, this configuration impossible, I understand. Nothing to benchmark :-) >> And what about using IPSec VTI (virtual tunneling interface) mode: >> if_ipsec(4) > And this one too. It gives slightly more PPS than "setkey-based" tunnel > mode, which is surprise for me.
If your goal is increasing of PPS throughput, there are several ways to achieve it. For example, it is possible to make direct output from IPsec code, I mean make a route lookup and call if_output() directly from ipsec_process_done(). This removes many checks that does ip_output() and also extra call to pfil(9). Another idea is implementing some ipfw_ipsec(4) module, that can take packets and do IPsec processing. Then this module can be attached to Ethernet pfil hook and together with first idea, I think this can give a measurable improvement of PPS rate. -- WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
